Previous Section  < Day Day Up >  Next Section

SNMP

The Simple Network Management Protocol (SNMP) manages and monitors networking devices. Cisco ASA SNMP inspection enables packet traffic monitoring between network devices. The Cisco ASA can be configured to deny traffic based on the SNMP packet version. Early versions of SNMP are less secure. Denying SNMPv1 traffic may be required by your security policy. This is done by configuring an SNMP map with the snmp-map command and then associating it to the inspect snmp command, as shown in Example 8-15.

Example 8-15. SNMP Inspection
snmp-map mysnmpmap

 deny version 1

policy-map asa_global_fw_policy

 class inspection_default

  inspect snmp mysnmpmap

In Example 8-15, the Cisco ASA is setup for an snmp map, called mysnmpmap, which denies any SNMPv1 packets. The following are the deny version subcommand options:

  • 1 = SNMP version 1

  • 2 = SNMP version 2 (party based)

  • 2c = SNMP version 2c (community based)

  • 3 = SNMP version 3

    Previous Section  < Day Day Up >  Next Section